CoreStaff Phishing Email: Anatomy of a Scam

This is a postscript to an earlier warning about the phish BROWN PART TIME JOB OFFER, which illustrates what could happen should you respond to it or something similar.

Below is an example of the first email you'd receive with the basic offer, almost identical to the one linked above except sent from another name and address. It contains a few suspicious attributes, prompting such questions as:

  • Why did this come from a Gmail account and not @corestaff.com?
  • How did they get access to the "school database"? 
  • What do they mean by "loyal", which is a strange quality to select (and how would they know)?
  • Why is there no contact information such as a phone number, address and website included in the signature?
  • Why the errors in spelling (part time should be hyphenated) and punctuation use (the comma after "doing any other" should be a period and a new sentence started) in a professional business letter?
  • What is this "JOB POSITION"; why no description?

On Wed, Feb 7, 2018 at 2:25 PM, Howard Glanton <howardglanton23@gmail.com> wrote:
Dear Student,

We got your contact through your school database and I'm happy to inform you that our reputable company CORESTAFF SERVICES Inc®,is currently running a student empowerment programme. This programme is to help loyal and hardworking studentslike you secure a part time job which does not deter you from doing any other, you just need a few hours to do this weekly and with an attractive weekly salary.

KINDLY EMAIL BACK WITH YOUR  PERSONAL EMAIL ADDRESS IF INTERESTED IN THIS JOB POSITION.

Kind Regards,

Howard Glanton,
HR Manager/Consultant
CORESTAFF SERVICES Inc®


After sending an email address, an applicant would receive the following reply, chocked full of information about CORESTAFF SERVICES (much taken from the TEKsystems, Inc. description appearing on Career Builder and on TEK's own site). The problem is, most of it is not true. A quick search of the Allegis Group site for CoreStaff shows no results. While there is a corestaff.com website, it is a thin shell, containing none of the information mentioned in their email, nor any more specifics about the company. A job description has been included this time, but it is extremely vague and includes typos. Finally, while providing few real details itself, it requests a great deal of personal information from the applicant, in fact, sufficient information that it could be used to commit identity theft.


On Wed, Feb 7, 2018 at 3:57 PM, Howard Glanton <howardglanton23@gmail.com> wrote:

Dear Applicant,

Thanks for getting back to us with your interest about the job position, CORESTAFF SERVICES Inc® is a privately held company within Allegis Group, the largest private talent management firm in the world. Our long-standing history and industry-leading position speak to our success in providing the IT staffing solutions, IT services and talent management insight required for our clients to actualize ROI and sustain a truly competitive advantage in a fast-changing market. We have established successful relationships with thousands of companies, government agencies and small entrepreneurial firms across all industries.

COMMITMENT: Our commitment to meeting our customers’ and consultants’ expectations is the foundation for building trust in our business relationships. Simply put, we foster an environment that demands integrity and accountability for results. To ensure our clients and consultants know exactly what they can expect from us, we make it our mission to hire smart, honest and hardworking individuals who possess a great deal of pride in setting the bar high and keeping their word.

JOB DESCRIPTION:CORESTAFF SERVICES Inc®  is seeking a Production support to Provide analysis and support for our clients production environment. This person will be responsible for analyzing, reporting and ordering production supplies. This is a part time job that does not deter you from doing any other. You just need a few hours of your time to do this weekly and you can have your own part of the work completed at your leisure time in school or at home.

SALARY/WAGES: $400 Weekly.

The successful candidate will need to be able to:
-Provide Quality communication etiquette skills and good organizational skills.
- Perform duties with accuracy, quality, and integrity.

We will always email you guidelines and instructions to follow in getting your job done perfectly as soon as you start working. if you care to proceed with the job offer, get back to us with the information listed below so we can process your information as to consider it valid to commence working with us.

NAME:
PHYSICAL CONTACT ADDRESS (NOT PO BOX)
CITY:
STATE:
ZIP CODE:
D.O.B:
GENDER:
MOBILE (Must be able to receive text) :
PERSONAL EMAIL:
CURRENT JOB:

We shall be contacting you as soon as we receive and validate this information.

Thanks,

Howard Glanton,
HR Manager/Consultant
CORESTAFF SERVICES Inc®


After sending the details requested, the applicant would receive the following reply, again full of errors in spelling, grammar and punctuation. It spells out the basic scheme -- you are sent a mail order or check for start up costs and will be paid $400 weekly -- which is similar to these job scams (example #1, example #2) posted elsewhere in the Phish Bowl. It also introduces the element of urgency ("your immediate response to this email is expected"), a common ploy of phishing scams. If not responded to quickly, the scammer would then start calling you.


On Thu, Feb 8, 2018 at 1:37 AM, Howard Glanton <howardglanton23@gmail.com> wrote:

I am happy to inform you that your application has now been processed and approved. We are presently in the process of reviewing each applicants details but due to the high level of interest in the position, we will not be able to interview every applicant. You will be getting paid weekly and you are entitled to $400 as your weekly pay. We will mail you a money order or check to cover your start up wages which will also include money for you to carry out your first assignment. You will be properly briefed in order to carry out every task appropriately along with the complete funds to cover them. I believe we started this with TRUST , HONESTY AND SOUND MIND!

NOTE: YOUR IMMEDIATE RESPONSE TO THIS EMAIL IS EXPECTED, AFTER WHICH, YOU SHALL RECEIVE YOUR FIRST PAYMENT AND INSTRUCTION.

MAKE SURE YOU CHECK YOUR E-MAIL AND PHONE MESSAGES DAILY.

Kind Regards,
Howard Glanton,
HR Manager/Consultant
CORESTAFF SERVICES Inc®


  • If you receive an email like this, please notify us at phishbowl@brown.edu and mark it as phishing.
  • If you had sent them personal information, you may possibly become a victim of identity theft and/or involved in a money-laundering scheme. We recommend that you stay vigilant for any signs of identity theft, listed on the Federal Trade Commission's (FTC) site. They also have a Complaint Center for processing incidents like this. 
  • You may also want to check out the FBI's Internet Crime Complaint Center (IC3) at https://www.ic3.gov/.
  • See also Signs of a Job Scam on the FTC's site.
  • Additional searches showed a variation on this email with different senders, such as this one from B&H Beverages posted on the UCLA phishing scam site, also on the indeed forum.
Phishing
Phishing Email (on campus)

Written by pfalcon@brown.edu on